Here at GoodLayers, we take it really serious about security issue. So, before we launch every of our themes, we will make sure that it will not have any vulnerabilities.
1. When we create themes, we do not create any custom functions to communicate with database. We only use it via WordPress's function only so at this point, it will be on the WordPresss itself.
2. The vulnerabilities can caused by third party unreliable script that contact to third party url. In this case, we only use the script that contact to Google(to pull Google font) and Google is surely reliable source.
3. Before launching the theme, Envato will perform the theme reviewing including the checking of inappropriate coding. So they will ensure that all themes sold on the market place will be coded by following the best practice of WordPress theme creation and also they will reject the theme if the code include such a vulnerability.
However, these are possibilities of the infection.
1. Using share hosting, share hosting (or maybe bad hosting) can caused such an issue. When other customer's site that is on the same hosting(shared) of yours get infected, your site will have a high risk then. We can confirm this by our experienceI. We used to use some cheap local hosting and it was not quite good. Some customers' sites got infected and my site was infected too. After cleaning viruses, it didn't go away but after we switched hosting(We switched to Media Temple at that time.), the problem was completely cleared.
2. Vulnerabilities in third party plugins. This is one of the most popular reason that cause WordPress site's infection. Make sure that you use the plugins that are well implement with best practice of WP plugins creation and notice that the plugins are updated from time to time to ensure that they keep fixing bugs and patch vulnerabilities.(We do this with our products all the time.)
3. Bad permission folder setting on your server. Make sure that it's securely set. 644 is recommended for php files and 755 is recommended for the folder. By missing the good setting can let hackers to edit files.
4. Password leaks. Make sure that you set the very strong password for admin role, CPanel, Database password, etc…
There can be other reasons for these but it will be good to have these things checked.
There're also some tips from us.
1. You can try using security wp plugin : https://kinsta.com/blog/wordpress-security-plugins/
2. It will be much even better if you use DNS with security feature. You may check out CloudFlare service. It's quite useful.